Anti Debugging Trick

Anti-debugging is a popular anti-analysis technique used by malware to recognize when it is under the control of a debugger or to thwart debuggers. Malware authors know that malware analysts use debuggers to figure out how malware operates, and the authors use anti-debugging techniques in an attempt to slow down the analyst as much as possible. Once malware realizes that it is running in a debugger, it may alter its normal code execution path or modify the code to cause a crash, thus interfering with the analysts’ attempts to understand it, and adding time and additional overhead to their efforts. There are many anti-debugging techniques—perhaps hundreds of them -  I will discuss only the most popular ones that we have encountered in the real world cover as much I can and also show some sophisticated one also and also how to defeat the while debugging session I will use python scripting with immunity debugger to defeat the tricks if you don’t about python scripting with immunity debugger the visit  this might help you ;) . But first lets start with the most simplest and  basic one with uses Windows API -

IsDebuggerPresent() :

By far the most common anti-debugging technique is to use the IsDebugger- Present function exported from kernel32.dll. This function call takes no parameters and returns 1 if there is a debugger attached to the current process or 0 if there isn’t. If we disassemble this function, we see the following assembly:

7C813093 >/$ 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]

7C813099 |. 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]

7C81309C |. 0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]

7C8130A0 \. C3 RETN

This code is loading the address of the Thread Information Block (TIB), which is always located at offset 0x18 from the FS register. From there it loads the Process Environment Block (PEB), which is always located at

offset 0x30 in the TIB. The third instruction is setting EAX to the value of the BeingDebugged member in the PEB, which is at offset 0x2 in the PEB. If there is a debugger attached to the process, this byte will be set to 0x1. A simple bypass for this was posted by Damian Gomez of Immunity, and this is one line of Python that can be contained in a PyCommand or executed from the Python shell in Immunity Debugger:

imm.writeMemory( imm.getPEBaddress() + 0x2, "\x00" )

This code simply zeros out the BeingDebugged flag in the PEB, and now any malware that uses this check will be tricked into thinking there isn’t a debugger attached .